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Abstract 

In this paper we propose an approach to reasoning about 
properties of imperative programs. We assume in this con¬ 
text that the meanings of program constructs are described 
using rules in the natural semantics style with the addi¬ 
tional observation that these rules may involve the treatment 
of state. Our approach involves modeling natural semantics 
style rules within a logic and then reasoning about the be¬ 
havior of particular programs by reasoning about proofs in 
that logic. A key aspect of our proposal is to use a frag¬ 
ment of linear logic called Lolli (invented by Hodas and 
Miller) to model natural semantics style descriptions. Being 
based on linear logic, Lolli can provide logical expression to 
resources such as state. Lolli additionally possesses proof- 
theoretic properties that allow it to encode natural semantics 
style descriptions in such a way that proofs in Lolli mimic 
the structure of derivations based on the natural semantics 
rules. We will discuss these properties of Lolli and demon¬ 
strate how they can be exploited in modeling the semantics 
of imperative programs and in reasoning about such mod¬ 
els. 

1. Introduction 

This paper concerns an approach to reasoning about the 
properties of imperative programs. Such programs, written 
in languages like Java and C, play an important role in 
safety- and security critical systems. They are pervasive, for 
example, in the software contained in medical devices and 
financial systems. Programs that malfunction in such con¬ 
texts can lead to catastrophic system behavior. The underly¬ 
ing motivation for this work is that through the process of 
formal reasoning we can establish the absence of such bugs 
before these programs are run and thereby preclude undesir¬ 
able behavior after their deployment. 

Our objective in this work is not to reason about prop¬ 
erties of particular programs but, rather, to develop a broad 
framework within which such reasoning may be conducted. 
An important ingredient of such a framework is a logic for 
describing the semantics of the programming language in 
which programs are constructed; a formalization of the se¬ 
mantics can then be combined with the description of a given 


program to model its overall behavior. An aspect that needs 
special treatment when dealing with imperative programs in 
this setting is the notion of state; imperative programs typi¬ 
cally manipulate memory by storing and looking up values 
in relevant cells and how exactly they do this is important to 
understanding their behavior. Thus, the logic that we choose 
for our framework must facilitate the description as well as 
the analysis of the role of state in computations. 

In constructing the framework we desire, we must also 
choose an approach to presenting the semantics of a pro¬ 
gramming language. We propose in this work to use the nat¬ 
ural semantics style introduced by Kahn lll2|] for this pur¬ 
pose. Natural semantics style allows the meaning of a pro¬ 
gramming language construct to be modeled via derivations 
that closely reflect the actual computations that result from 
the construct. Thus, the process of reasoning about program 
behavior boils down naturally to reasoning about natural se¬ 
mantics style derivations. In our framework, programming 
language semantics will be modeled by translating these nat¬ 
ural semantics descriptions into the underlying logic. This 
actually places two further constraints on the logic. First, 
it should have a structure that supports a natural encoding 
of natural semantics style descriptions. Second, the infer¬ 
ence process in the logic should correspond transparently to 
the process of constructing natural semantics style deriva¬ 
tions; this property allows reasoning about natural semantics 
style derivations to be reduced uniformly to reasoning about 
proofs in the logic. 

The main thrust of the work in this paper is to iden¬ 
tify a logic that satisfies the constraints described above 
and that would thereby be a suitable choice for encoding 
programs and programming language semantics within the 
framework we seek to design. We contend that linear logic, 
a logic of resources and actions invented by Jean-Yves Gi¬ 
rard | 13 l, provides a natural means for treating state-based 
aspects of computation and hence constitutes a good starting 
point. However, the logic we use needs also to allow for a 
treatment of natural semantics style descriptions. We argue 
that Lolli, a fragment of linear logic identified by Hodas and 
Miller 13, has such a character. To provide substance to our 
claim, we demonstrate how this logic can be used to model 



the semantics of a small collection of constructs in an im¬ 
perative programming language. We further show how the 
meta-theoretic properties of Lolli allow us to translate an in¬ 
formal style of reasoning based on natural semantics deriva¬ 
tions into reasoning about derivations in Lolli. Although a 
formalization of this reasoning process is beyond the scope 
of this work, we believe that this can be done following the 
approach used in the Abella system fsl] . 

The rest of this paper is structured as follows. In the next 
section, we describe a simple imperative programming lan¬ 
guage and we present the meanings of the constructs in this 
language in natural semantics style. We then consider a small 
program in this language and show how we can organize the 
process of reasoning about it around natural semantics style 
derivations. This language and reasoning example provide 
us the means for explaining and defending our main contri¬ 
butions in the sections that follow. In Section [ 3 ] we present 
Lolli and we discuss the properties of derivations in it. In the 
following section we show how Lolli can be used to formal¬ 
ize the imperative programming language described earlier. 
In Section| 5 ] we demonstrate how the properties of Lolli can 
be used in reasoning. In particular, we show that the infor¬ 
mal reasoning process based on the natural semantics style 
presentation translates naturally into reasoning about deriva¬ 
tions in Lolli. We conclude the paper in Section|6]with indi¬ 
cations of directions in this work that may be worthwhile to 
pursue in the future. 

2. A Simple Imperative Programming 
Language 

In this section we define an imperative programming lan¬ 
guage and its evaluation semantics. We use these definitions 
to demonstrate how a program written in the language can 
be reasoned about informally. 

2.1 The Language 

The syntax of programs in our imperative programming lan¬ 
guage £ is given by the following rules: 

R::= N\R + R\R-R\R> R\*R 
I i? -f— i? I i?; i? I (R) I while R do R 


In this definition, the symbol N represents the category of 
expressions corresponding to the non-negative integers and 
the programs *R,Ri -i— R2, and correspond to 

memory lookup (like in C), update of the value stored at R2 
to i?i, and evaluation of Ri followed by evaluation of i?2, 
respectively. The last construct included by the syntax rules 
permits indefinite iteration in the language. 

We will need a model of memory in order to present 
the semantics of the constructs in our language. Towards 
this end, we will represent memory as a partial function 
from natural numbers (denoted also in an overloaded fashion 


by N) to expressions in the language that correspond to 
natural numbers. Given memory M, we will use the notation 
M[x I— y] to denote a modified memory given by the 
following partial function: 

7. ^-r 1 / \ i V if X = a 

L yjv ; \ M(a) ifx^a 

Notice that although memory is modelled as a function from 
the conceptual domain of natural numbers, we will often 
want to do a “lookup” using the result of a computation. By 
an abuse of notation, we will allow memory to be “applied” 
to the expressions that denote natural numbers in the lan¬ 
guage. 

We present the semantics of the constructs in our lan¬ 
guage by explaining what it means to evaluate them. We do 
this by defining an “evaluation relation” that we write as 

{R,M) (A, . 

This relation is to be read as “the program R evaluated in 
memory M returns value N and modifies the memory to 
M'” or, when memory is not of interest, “R evaluates to 
value N.” When referring to components of this relation 
we may refer to the “input program expression”, the “input 
memory”, the “return value”, and the “output memory”, 
respectively. We define this relation through rules in the 
natural semantics style that are presented in Figure [T] For 
the uninitiated reader, each of these rules is to be read as 
asserting that the relation shown below the line holds if all 
the relations or properties above the line hold; the former 
is called the conclusion of the rule and the latter are called 
its premises. Notice that if a rule has no premises then its 
conclusion is unconditionally true. 

A few comments are in order with regard to the rules 
in Figure [T] First, these rules are meant to be read as 
schemata: actual rules are to be generated by instantiating 
the schema variables N,Ni,N2, and A3 by (expressions 
denoting) numbers in N, R, Ri, and i?2 by programs in £, 
and M, M', M”, and M"' by memory. Second, in keeping 
with the systematic confusion of natural numbers with their 
representation in C, we have also overloaded the operators 
-f, —, >, <, and G. Note also that with — we associate the 
usual subtraction operation on natural numbers: Ni — N2 is 
0 if Ni is less than N2. Finally, these rules make precise the 
interpretation that we would naturally think of associating 
with each of the constructs in the language. In this regard, 
the first five rules need no further explanation. The sixth 
and seventh rules encode the meaning of memory lookup 
and update, respectively: *R causes R to be evaluated and 
the memory to be looked up at the resulting location while 
leaving the memory unchanged, whereas i?i ^ R2 causes 
memory to be changed at the location corresponding to i?i 
by the value corresponding to i?2- Notice also that the right¬ 
most premise of the memory update rule ensures that the do¬ 
main of memory remains fixed throughout evaluation. The 



{Ei,M) (Xi.M') 

(E2,M') 

{N2,M") {El, M){Ni, M') {E2 ,M’){N2 ,M") 

{N,M) 

{Ei+E2 ,M}-^ 

■ {Ni + N2, M") {E1-E2, M) (TVi - N2,M") 

{Ei,M) 

{Ni, M') {E2,M') — (N2,M") 

Ni > N2 

{Ei,M)(Ni,M') {E2,M') ^ {N2 ,M") Ni<N2 


{Ei>E2 ,M) ^ 


{Ei>E2 ,M) ^ (O.M") 

{R, M) [N, M') M'{N) = N' 

{Ri,M) 

[Ni,M') {R2,M') {N2, M") M"(Ni) = N3 


{*R, M) ^ 


{Ri <- ita. M) — {N2, M"[Ni Xa]) 




{R2,M') ^ {N2,M") 

{Ri,M) 

{Ri-,R2 ,M) {N2,M") 

— ( 0 ,M') {Ri,M) ^ {Ni,M') {R2, M'){N2, M") {while Ri do R2, M") ^ {N3, M'") Ni > 0 

{while Ri do R2, M) ( 0 , M') 


{while Ri do R2,M) (W3, M'") 

Figure 1. Evaluation semantics for the imperative language C 


last three rules make precise the meaning of sequencing and 
of while as an iteration construct. 

When building derivations, we may build derivations 
for premises in any order provided the constrains between 
premises are met. However, we may significantly simplify 
the process of proof construction if we build them sequen¬ 
tially from the left most premise to the right most premise. 
Observe that adopting such a derivation building strategy 
does not limit the derivations that can be built. 

2.2 Derivations as Computations 

The rules defining the evaluation semantics provide us a 
means for constructing derivations of particular evaluation 
relations. Such derivations can be understood as an abstract 
view of the computation that results from particular pro¬ 
grams. For example, suppose we are given a particular pro¬ 
gram R and a starting memory M and we desire to under¬ 
stand what value this program computes and what impact 
it has on memory. In this case, would pick two “meta vari¬ 
ables” N and M' and we attempt to construct a derivation 
for the evaluation relation 

{R, M) {N, M') 

with the proviso that we may instantiate N and M' as needed 
along the way. Note also that the result of a computation 
must in fact be validated by success in constructing such a 
derivation. Thus, by analyzing all the possible derivations 
we also obtain a means for establishing properties of com¬ 
putations. 

To illustrate the connection between derivations and com¬ 
putations in this setting, let us consider the program 

2 *0; (0 ■‘r- =1=1; 1 *2) 

and its evaluation in some memory M defined at locations 
0,1, and 2. This program swaps the values stored at two 


locations using a third location as temporary storage. We will 
build a derivation piecemeal, showing that for some N, the 
evaluation relation 

(2 ^ *0; (0 ^ =(=1; 1 ^ *2), M) ^ 

(N, M[2 M(0)][0 M(l)][l M(0)]) 

holds. 

Let X be the following derivation for (2 =i=0, M) 

(M(0), M') where M' = M[2 M(0)]: 


{0,M) (0,M) 

(2.M) (2,M) (2 <- *0,M} (M(0),M) M(2) = Ni 

(2 •!- *0,M} (M(0),M') 

Let T* be the following derivation for (0 ^ 
(M'(1),M") where M" = M'[0^ M'(l)]: 


(l.M') ( 1 ,M') 

(0,M') (0,M') (M'(l).M') M'(0) = N 2 

(0 -i- — (M'( 1 ),M") 

Finally, let H be the following derivation for (1 *2,M") 

(M"(2),M'") where M'" = M"[l M"(2)]: 


(2, M") (2, M") 

(1,M") (1,M") (*2,M'') (M"(2),M") M"(l) = W3 

(1 ^ *2,M") (M"(2),M'") 

Then we can combined X, T* and H to obtain the complete 
derivation that is shown below for the complete program 
expression of interest: 

_ =1= o _ 

X (0 <-*1; 1 •!-*2.M') — (M"(2),M") 

(2 ^ * 0 ; (0 <-*!;!<- (M"( 2 ),M"') 

To arrive at the desired conclusion, we have to show that 
M'”, the memory at the end of the computation, is equiva¬ 
lent to 


M[2 hx M(0)][0 M(l)][l M(0)]. 




Substituting the definition of M' in the definition of M" 
yields 

M[2 ^ M(0)][0 M[2 ^ M(0)](1)]. 

By observing that 

M[2 ^ M(0)](1) = M(l) 

we have 

M" = M[2 ^ M(0)][0 M(l)]. 

Replacing this result for M" in the definition of M'" we get 

M[2 ^ M(0)][0 M(l)][l 

M[2 M(0)][0 M(l)](2)] 

Finally, by observing that 

M[2 M(0)][0 M(l)](2) = M(0) 

we arrive at the conclusion we want; 

M"’ = M[2 M(0)][0 M(l)][l M(0)]. 

2.3 Informal Reasoning about Imperative Programs 

As we have explained earlier, we can extract information 
about the behavior of a program by analyzing the deriva¬ 
tions that result from it. We illustrate this possibility in this 
subsection by showing how to demonstrate the correctness 
of a program for calculating the sum of the integers from 0 
to a particular number N. Our argument at this stage will be 
informal; later sections will discuss a framework for formal¬ 
izing this style of argument. 

Let U be the following program; 

while (=i=l )>0 doO <r- * 0 -|-*l; 1 ■(— * 1—1 ( 1 ) 

Consider the program V written to calculate the value of 

N 

^ i constructed with U: 

i=0 

0 ^ 0; (1 ^ t/) (2) 

We will show that given any N and any memory defined 
at 0 and 1, V calculates the correct answer and stores it in 
memory. 

Lemma 1 (Total Correctness of U using structural opera¬ 
tional semantics). \/Ni, N 2 , M if Ni,N 2 € N and M is 
memory where M{0) = N 2 and M{1) = Ni then 3M' 

N 

such that {U, M) (0, M') and M'(0) = N 2 + X] * 

i=0 

Proof of Lemma\T\. This will be proven by induction on Ni. 

If Wi = 0 then the following derivation can be constructed 

0 

and M'( 0 ) = N 2 = N 2 + 

i=0 


(1,M) {1,M) 

(*1,M) (0, A/) (0,M> (0,M) 0 < 0 

{(*l)>0,Af) (0,M) 

{while (*1)>0 do U, M) ^ [N, M) 

\f M{1) = Ni and it is assumed this lemma holds for all 
memory W where W{1) < Ni then the following derivation 
can be constructed; 

n 

X 1 > 0 f {while (*1)>0 do U, M") (0, M"') 

{while (*1)>0 do U,M) -w (0, M'") 

In this derivation, we let M' = M[0 M(0) -I- M(l)], 

M" = M'W !->■ M{1) — 1], and M'" is the result mem¬ 
ory from our inductive hypothesis. Let X be a derivation 
with an end-sequent of ((* 1 )> 0 , AT) (1, M) and T' be 
a derivation with an end-sequent of (0 ^ * 0 -|-*l;l •(— 
*1—1, M) -w (M(l) — 1,M"). Both of these derivations 
can be constructed but are omitted; they are uninteresting 
with respect to this case. Since M'{\) < Ni the inductive 
hypothesis can be used to give a derivation for fl. □ 

From Lemma[T] the following theorem is easily shown; 

Theorem 2 (Total Correctness of V using structural oper¬ 
ational semantics). VW, M if N G N and M is memory 
defined at M(0) and M{1) then 3M' such that (V, M) 

N 

(0,M') andMfO) = E *■ 
i=0 

Proof of Theorem^ By case analysis on the derivation for 
(L,M) ( 0 , M') it suffices to show there is a derivation 

for (L, (M[0 0])[1 N]) (0,M') where M'(0) = 

N 

*• This is shown using Lemma[T] 

i=0 

□ 

3. The Specification Logic 

In this section we present Lolli, the fragment of linear logic 
that we will use to formalize our imperative programming 
language. The first subsection introduces the language of 
Lolli and clarifies the meaning of its logical symbols through 
inference rules. This part of our presentation emphasizes the 
declarative nature of Lolli. When we use it to model natural 
semantics style descriptions, we would also like to be able to 
capture the structure of natural semantics style derivations. 
Towards this end, we show in the second subsection the 
relative completeness of goal-directed reasoning in Lolli. 
This discussion culminates in a reduced proof system for 
Lolli that we use exclusively in the rest of the paper. 

3.1 The logic Lolli 

Lolli is a logic that is built on the simply typed A-calculus 
of Church The types underlying its language are con¬ 
structed from a collection of primitive types that contain o, 
the type of propositions, and at least one other type; for the 
moment, we assume l to be the only such type, but we will 










add to this collection as needed in later sections. The remain¬ 
ing types build on these primitive types using the function 
type constructor: if ti and T 2 are types, then ti T 2 is also 
a type and it denotes the collection of functions from ti to 
T2- 

The terms of Lolli are constructed from collections of 
typed variables and constants using the usual abstraction and 
application operations: the former yields the term Ax.t of 
type Ti T 2 given the term t of type T 2 and the variable 
X of type Ti, and the latter yields the term (fi 12) of type T2 
given terms ti and t 2 of types ti ^ T 2 and ri respectively. 
Abstraction is a binding operation that defines a scope for 
the variable, a concept that we will assume the reader to 
be familiar with. Two terms are considered to be equal if 
one can be obtained from the other by some sequence of a- 
conversions, i.e. the replacement of a subpart of the form 
Xx.t by Xy.t' provided x and y are variables of the same 
type, y does not appear free in t and t' results from t by 
the replacement of the free occurrences of x by y. Given a 
term s of the same type as x, we will write t[s/x\ to denote 
the result of substituting s for the free occurrences of a: in f 
in a capture avoiding way; notice that in correctly carrying 
out such a substitution, we may need to apply some a- 
conversions. A term t is said to be obtained by /3-contraction 
from another term s if it results from replacing a subterm 
of s that has the form ((Ax.fi) 12 ) by t 2 \ti/x\. Two terms 
are also considered equal if one can be obtained from the 
other by some sequence of applications of /3-contractions 
or its inverse. We will use this notion of equality implicitly 
in the rest of this paper. In the context of the simply typed 
A-calculus, it is known that every term has a normal form 
modulo /3-contractions, i.e. it is equal to a term which does 
not contain a sub term of the form {{Xx.ti) ^ 2 )- We will 
depict terms solely by their normal forms. 

Lolli has a set of constants that serve to build a logic over 
its terms. These constants, referred to as logical constants 
consist of the following: &, -o, and © all of type o — 

(o —o) and written in inhx form; ! of type o ^ o', and, for 
each type t, the constants Vr and 3 t with type (r — o) — )• o. 
The constants and 3^ are referred to as quantifiers and 
the remaining constants constitute the logical connectives. In 
addition to these constants, expressions in Lolli may also be 
formed from user defined constants, referred to as nonlogical 
constants. The well-formed terms of type o in Lolli are 
distinguished as formulas. Notice that a formula may have 
as its top-level symbol a logical constant, a variable or a 
nonlogical constant. In the latter two cases, the formula is 
said to be atomic. Further, it is a rigid atom if its top-level 
symbol is a nonlogical constant. We shall use the syntactic 
variable A to denote atomic formulas and Ar to denote rigid 
atoms. 

At a logical level, Lolli is oriented towards proving judg¬ 
ments represented by sequents. Formally, a sequent is an ob¬ 


ject of the form 

r;A h G 

where F is a set of formulas, A is a multiset of formulas 
and G is a formula. Intuitively, such a sequent corresponds 
to the claim that G, the goal formula, is derivable given the 
resources F and A. The resources in F are distinguished as 
being unbounded: formulas in F would typically be used to 
represent unchanging facts in a specification setting, such 
as the natural semantics rules governing the behavior of im¬ 
perative programs. On the other hand, formulas in A con¬ 
stitute bounded resources: referring again to the imperative 
programming example, they may be used to represent the 
state of memory at a particular point in computation. 

The syntax of formulas that may be used as resources and 
goals is limited in Lolli. Specifically, they may only be the 
P and G formulas described by the syntax rules below: 

P::= Ar\PkP\G^P\G=^P\ Vx.P 
G::= T|A|G&G|P^G|P=^G| Vx.G (3) 

I 3x.G I !G I G®G I G©G 

We refer to P formulas also as program clause formulas. No¬ 
tice that the connectives &, -<>, and V are allowed in both 
kinds of formulas. However, there are differing constraints 
in the use of —o and When these are used in the resource 
formulas, the formula on the left must be a goal formula and 
that on the right must be a resource formula. When they are 
used in a goal formula on the other hand, the formula on the 
left must be a resource formula and that on the right must 
be a goal formula. As we shall see presently, these restric¬ 
tions play an important role in maintaining the structure of 
sequents in the course of a derivation and therefore in the 
coherence of the inference rules for Lolli. In addition to the 
already mentioned connectives, goal formulas may contain 
T, 3, !, ©, and ©. 

The rules for deriving sequents in Lolli are presented in 
Figure |2] The sequent that appears below the line in each 
of these rules is called its conclusion and the sequents that 
appear above the line constitute its premises. The L or i? in 
the labels of these rules denotes whether the rule introduces 
a logical symbol on the left or the right of the h. Grouped 
by L or i? they may be referred to as left-introduction rules 
and right-introduction rules, respectively. In the rules per¬ 
taining to the logical symbols, the formula in the conclu¬ 
sion that contains the introduced symbol is called the prin¬ 
cipal formula. This terminology is extended to the id rule 
and absorb rules to denote the formulas represented by A 
and B, respectively. When we write F, F in the unbounded 
context in these rules, we mean it to denote F U {P}, i.e. 
F may also be contained in F. On the other hand, in the 
unbounded context A, F represents A l±l {P}, i.e. A con¬ 
stitutes the bounded resources with the exclusion of the se¬ 
lected copy of the formula P. Relatedly, Ai, A 2 in such a 
context stands for Ai © A 2 , i.e., the comma represents mul¬ 
tiset union. 


r,B;A,BI-G T;A,BihG T; A h Gi T; A h Ga 

r:A\- A r,_B;A h G T; A h T T; A, Bi&Ba 1“ G ^ F; A h Gi&Ga 

r;Ail-Bi r:A2.-B2l-G r;A,Gil-G2 T; 0 h Bi T; A, Ba 1“ G r.Gi;AI-G2 

r;Ai,A2,-Bi ^ Ba l-G T; A I- Gi ^ Ga ^ ^ r;A,Bi => Ba h G ^T; A h Gi ^ Ga ^ 

r;A,(Bt)|-G r;At-Gc T; A h (G f) 

r;A,Va:.BI-G T; A h Vx.G T; A h 32:.G 

r;il)\-G r-AhGi r;Ail-Gi r;A 2 l-G 2 

r;AFG.eGa T; A,, Aa h Ga ^ Ga 

Figure 2. The inference rules in Lolli. In the Vi? rule, c must not occur in T, A, or G. In the VT and Eli? rules, the term t 
generalized upon must be such that {B t) and (G t) are a program clause formula and a goal formula, respectively. 


Some comments on the inference rules are useful both in 
understanding the logical structure of Lolli and the intended 
meaning of the logical symbols. The rules for the use of re¬ 
source formulas in Lolli are all stated with respect to the 
bounded context. The only exception to this is the absorb 
rule which encodes the possibility of making a copy of an 
unbounded resource before using it in a bounded fashion. 
The rules for the quantifiers give them their usual interpre¬ 
tation with the caveat that the domain of quantification is 
restricted so as to preserve the normal form of sequents in 
Lolli. The formula Gi ( 8 )G 2 is interpreted as saying that there 
are enough resources to show both Gi and G 2 : the rule for 
proving this formula requires each component to be shown 
from a partitioning of the bounded resources. The connec¬ 
tives & and © are meant to encode different kinds of choices. 
The formula Gi & G 2 signifies that the available resources 
are sufficient to satisfy either Gi or G 2 , whichever one we 
choose. Accordingly, to prove a sequent that has such a for¬ 
mula on the right of h, we have to show that we can prove se¬ 
quents with the same resources and each of Gi and G 2 as the 
goal. On the other hand, if the formula Bi & B 2 is available 
as a resource, this means that we can choose which one of the 
components we actually want to use, something that under¬ 
lies the left-introduction rule for this connective. In contrast, 
the formula Gi © G 2 means that we can have one of Gi 
or G 2 based on the resources, but we do not know a priori 
which. Correspondingly, to prove a sequent that has such a 
formula on the right of h, it suffices to prove a sequent with 
the same resources and with one of Gi or G 2 as the goal. The 
^ connective captures a notion of resource conversion; To 
show Gi ^ G 2 we must somehow use Gi in showing G 2 
and, conversely, when given Bi B 2 , we may consume 
some of the resources to show Bi and then use B 2 itself as 
a resource. The connective also represents resource con¬ 
version, but this time an unbounded resource. Note that the 
rules for and may move formulas from one side of 


h to the other and could potentially result in destroying the 
form of permitted sequents in Lolli. However, the restriction 
on what can appear on either side of and in goal and 
program clause formulas ensures that this does not happen. 
The ! connective corresponds to treating its argument as be¬ 
ing independent of the finite resources. The id rule cements 
the fact that all the bounded resources must be consumed in 
a derivation. In this setting T corresponds to a “sink” or a 
garbage collector for the bounded resources. 

We illustrate the rules of Lolli by considering a few proofs 
that use them. First, consider the sequent 

0 ; 0 h {Ai & A 2 ) ^ {Ai © A 2 ). 

This sequent expresses the intuition that if we have Ai & A 2 
as an unbounded resource, then we must simultaneously 
have both Ai and A 2 provided our bounded resources are 
empty. A derivation for the sequent is shown below. 


Ai A2-, A 2 A 2 ©fcata;©!-© 

Ai Sz A2; Ai, A2 Ai ® A2 
^1 fc A2; Ai,AikA 2 \- Ai® A^ 

A\ & A2 ; A\ & A2 , A\ & A2 l~ A\ ® A2 
A\ & A 2 'f A\ & A2 l~ Ai ® A2 
AiSzA2-,^\-Ai®A2 
0; 0 h (tIi & A 2 ) {Ai ® A 2 ) 


-kL 

A 2 

- absorb 

absorb 


This proof uses the &L and absorb rules in a situation when 
the formula on the right h is Ai © A 2 , i.e., is not atomic. Such 
a proof is not goal-directed, i.e., if we think of the process of 
searching for a proof for the given sequent, the formula on 
the right of the h symbol does not guide the choice of rule 
to use to arrive at the conclusion. In the next subsection we 
will consider the idea of uniform proofs that will provide us 
a means for restricting attention to only goal-directed proofs. 

Notice that the unbounded availability of Ai & A 2 is 
important to the above proof: if we change the sequent to 


0 ; 0 h(Ai&A 2 )^(Ai©A 2 ) 





then it is no longer provable. Given the formula Ai & A 2 
as a bounded resource, we have to make a choice between 
using with Ai or A 2 , also as a bounded resource. This choice 
is mutually exclusive; we may not have both Ai and ^ 2 - On 
the other hand, if Ai ® A 2 is on the right of h, then both 
Ai and A 2 must be available as (bounded) resources for the 
sequent to be provable. 

The process of finding proofs for sequents typically in¬ 
volves search. Two common strategies that are used in this 
setting are forward chaining and backward chaining. These 
strategies refer to how we use implicational formulas, which 
in Lolli could be ones that have either ^ or => as their top- 
level connective, available in resources in guiding the search. 
In the former case, we use the fact that the lefthand side of 
the implication is already available as a resource and we then 
reason forward, by adding the righthand side as a resource. 
In the latter case, we observe that the goal formula of the 
sequent matches the righthand side of the implication and 
then reduce the task to showing the lefthand side from the 
available resources. The following proof can be understood 
as the result of using a forward chaining strategy to prove 
the sequent ^ 1 ; —oA 2 ,A 2 ^ ^3 ^ A 3 . 


Ai-AihAi 
AiA^ Ai 


id 

absorb 


Ai]Ai ^ 


Ai;A 2 hA 2 
Ai; A 2 , A 2 
A 2 ,A 2 —° A^ l~ A^ 


^ 1 : ^3 1“ -^3 
A3 h A3 


In Section lT^ we will consider a different proof resulting 
from a backward chaining strategy for this sequent. 


3.2 A Reduced Proof System for Lolli 

The derivation system for Lolli that we saw in the previous 
subsection presents us with alternative ways to construct a 
proof. For example, we may have the choice of using ei¬ 
ther a left or a right rule at a particular point in proof. In 
modelling natural semantics style rules for imperative pro¬ 
gramming languages, we will want to use sequents in a spe¬ 
cific way: the unbounded context will encode the semantics 
of programming constructs, the bounded context will model 
the state and the goal formula will represent the program 
producing the computation. If we are to analyze the prop¬ 
erties of programs using this setup, it would be ideal if we 
could focus our attention on Lolli proofs that closely fol¬ 
low program behavior. We show here that this is possible. 

In particular, we demonstrate that, from a provability per¬ 
spective, it suffices to look at proofs that are goal-directed in 
that, when looking at derivations bottom up, the first step is 
always to simplify a complex goal formula. 

The following definition, first introduced by Milleref 
alM , provides an encapsulation of the idea of goal-directedness 
in the context of Lolli proofs. It was or 

Definition 3 (Uniform Proof). A uniform proof is a Lolli 
proof in which every sequent with a non-atomic goal formula 
on the right of h is the conclusion of an inference rule that 
introduces the top-level logical symbol of that formula. 


Towards understanding uniform provability, consider the 
proof shown in Section luTI for the sequent 

0; 0 h {Ai & A 2 ) => {Ai (g) A 2 ). 

That proof is not a uniform proof. In that proof, there are two 
absorb rules and two SzL rules that have as a conclusion a 
sequent in which the goal formula Ai (g) A 2 appears as the 
right of h. However, the same sequent does have a uniform 
proof that is shown below: 


■ id 


Ai & A 2 ', Ai 1 “ Ai 
Ai ^ A2 ; Ai & A2 1 “ Ai 
Ai & A2;0I-Ai 


■ id 


■hL 
■ absorb 


Ai & A2'^ A 2 1 “ A 2 
Ai & A2', Ai & A2 1 “ A2 


Ai ^ A 2 ; 0 1“ A 2 


■kL 
■ absorb 


Ai & A 2 ; ili\~ A\® A 2 


<8>R 


■ R 


0 ; 0 h {Ai & A2) =i' [Ai ® A2) 

In fact, every provable Lolli sequent has a uniform proof as 
we now show. 


Theorem 4 (Lolli Admits Uniform Provability). The se¬ 
quent T; A h G has a proof in Lolli if and only if it has 
a uniform proof. 


Proof. The “if” direction is obvious. For the “only if” di¬ 
rection, we consider a proof that is not uniform and show 
how to transform it into a uniform proof. We associate with 
a proof a non-uniformity measure that counts the number of 
inference rule occurrences that do not act on a complex goal 
formula that appears to the right of h in their conclusion. If 
this measure is non-zero, we show how to reduce it by 1. The 
conclusion then follows by induction on the measure. 

If a proof has a non-zero non-uniformity measure, then 
there must be a path in it in which there is a first occurrence 
of a left rule that has a complex goal formula to the right of 
h in its conclusion. We show how to reduce the height of 
this path by 1. By induction on this height it follows that we 
can eliminate this violation of uniformity and thereby reduce 
the non-uniformity measure of the proof. Observe that since 
the rule in question is the first one along the path to violate 
the uniformity property, it must be preceded in the proof by 
a right rule. We use this fact in our argument. In particular, 
we consider the possible cases for the right and left rules and 
show that the left rule can be permuted above the right one, 
thereby moving the violation of non-uniformity closer to a 
leaf. 

In a detailed consideration of the cases, it is useful to cat¬ 
egorize rules based on the number of premises they have. 
Category I will represent rules with one premise and cate¬ 
gory II will represent rules with two premises. 

Suppose that the case in question involves two inference 
rules from category I. An example of such a situation is the 
following: 


TiA.Bi.Gi I-G 2 
r;A.Bi h Gi ^ G 2 
T; A, & i?2 I- Gi ^ 


G 2 


R 

kL{i 6 { 1 , 2 }) 


















This proof can be rearranged as follows: 


e 

r; A3 I- G2 


r;A.Bi,Gi hGa 
F: A. & i?2, Gi F G2 
r;A,i3i&_B2l-Gi^G2 


&L(i 6 {1,2}) 
-^R 


By permuting the left rule above the right one, we have 
reduced the length of the path by 1 as required. A similar 
argument applies to all the other cases of rules in these two 
respective categories. 

Suppose that the case in question involves a right infer¬ 
ence rule from category I and a left inference rule from cate¬ 
gory II. An example of this kind is presented by the follow¬ 
ing derivation: 


r;A2,g2 F Gi 

FiAihSi F; A 2 , i?2 1“ Gi 0 G 2 
F; Ax, A2, Bi —o F Gi © G2 


®R(i e {1,2}) 
—o L 


In this case the derivation can be rearranged as follows to 
once again reduce the length of the path by 1: 


^ s 

FiAiFi?! r;A2,B2FGi 

F; Ai, A2, ill ^ 52 , F Gj 
F; Ai, A2, Bi —o i?2 F Gi © G2 


—o L 

®R{i e {1,2}) 


The other cases for rules from the categories under consid¬ 
eration are similar. 

Suppose the case in question involves a right inference 
rule from category II and a left inference rule instance from 
category I. An example of this kind is the following: 


$ 


F;Ai, 5 iFGi F;A2FG2 
F; Ai, A2, Bi F Gi ® G2 
F;Ai,A 2 , 5 i &52 F Gi (8)G2 


®iJ 

kL{i e {1,2}) 


Here again, we can permute the left inference rule above the 
right one as follows: 


$ 

F:Ai. 5 iFGi S 

F;Ai,A 2 ,Bi& 52 FGi®G 2 F; A2 F G2 „ 

F;Ai,A2,Bi&52FGi®G2 

The other cases under this combination are treated similarly. 

Finally, suppose that the situation under consideration 
involves a right and left inference rule both from category 
II. An example of this kind is the following: 

H e 

$ F; A2, B2 F Gi F; A3 F G2 

F;AiF 5 i F;A 2 .A 3 , 52 FGi®G 2 ~ ® 

F; Ai, A2, A3, 5 i —o 52 F Gi ® G2 

Here we rearrange the derivation as follows, again obviously 
reducing the length of the path to the errant left rule by one. 




F:AiF 5 i F;A 2 , 52 FGi 
F; Ai, A 2 , 5 i ^ 52 F Gi 

F; Ai, A2, A3, 5 i —o 


52 F Gi ® G2 


®L 


The other cases for the rules in the category under consider¬ 
ation are treated similarly. □ 


We are thinking of modeling natural semantics style in¬ 
ference rules using the -o connective: modeled natural se¬ 
mantics rule conclusion relations will occur to the right, 
also known as the head, of a —o and modeled premise re¬ 
lations will occur to left, also known as the body, of a 
When modeled this way, -o L application on formulas with 
heads matching atomic goals mimics natural semantics style 
derivation construction. A backward chaining proof search 
strategy is one where this process is repeated for proof con¬ 
struction. 

The following definition captures the structure of proofs 
built using a backward chaining proof search strategy. 

Definition 5 (Simple Proof). A uniform proof is simple 
if every left introduction inference rule instance acts on a 
marked formula. A unique formula in the bounded context 
is marked if it is the principal formula of an id instance or if: 

• Pi or P 2 are marked in the premises sequent of a &L 
instance then the formula Pi & P 2 is marked in the 
conclusion sequent. 

• P[t/x] is marked in the premise sequent of a VL instance 
then the formula Vx.P is marked in the conclusion se¬ 
quent. 

• P is marked in the right-hand premise sequent of a —o P 
instance then formula G ^ P is marked in the conclu¬ 
sion sequent. 

• P is marked in the right-hand premise sequent of a =F P 
instance then formula G =F P is marked in the conclu¬ 
sion sequent. 

The second proof from Section 13.11 is an example of a 
proof that is not simple. This can be illustrated by attempting 
to mark the proof according Definition |5] In the following 
proof, the dots indicate formulas which can be marked. 


Av,Ai F Ai 
A i-%\- Ai 


id 

absorb 


Ai;Ai ^ 


-:- id -:- id 

Ai; A2 F A2 Ai; A3 F A3 

-1-—o 

Ai; A2, ^2 —° ^3 F A^ 

A2 , A2 Ai F 3I3 


Consider the bottom most ^ P instance principal for¬ 
mula Ai A 2 , call this instance one. According to the 
marking strategy, for this formula to be marked A 2 must be 
marked at the root of the right-hand premise sub-proof of in¬ 
stance one. Consequently, instance one acts on a unmarked 
formula. 

The following proof is a simple proof for the same se¬ 
quent. Observe that every principal formula of a left intro¬ 
duction rule is marked. 






















Ai-,Ai h Ai 
^i;0 h Ai 


- id 

Absorb 


Ai', A 2 A 2 


- id 


Ai \ Ai —o A 2 A 2 


Ai;A 3 h A 3 


- id 


Ai] Ai —o A2, A2 —o ^3 1 “ A3 

We now show that every provable sequent in Lolli has a 
simple proof. 


Theorem 6 (The Original Specification Logic Admits Sim¬ 
ple Provability). The sequent L; A h G has a uniform proof 
in Lolli if and only if it has a simple proof in Lolli. 


Proof This proof is similar to the proof given in Theorem|4] 
The “if” direction is obvious and in the “only if” direction, 
we associate with a proof a non-simple measure that counts 
the number of unmarked principal formulas occurring to the 
left of a h. If this measure is non-zero, we show how to 
reduce it by 1. The conclusion then follows by induction on 
the measure. 

Observe that if a non-simple instance occurs below an 
absorb instance a permutation is immediate. Therefore, we 
restrict analysis to non-simple instances below instances that 
are not absorb. 

Suppose the non-simple instance is a & or V left introduc¬ 
tion instance. Observe, that the rule above this non-simple 
instance must be a left introduction instance; A is atomic so 
no right introduction rules apply. If the rule is below a V or 
& left introduction instance permutation of these instances 
is immediate. If the rule above is a left introduction instance 
of ^ a straightforward permutation is possible. We consider 
one such case in detail where and S are simple proofs. 


This non-simple uniform proof may be permuted to one with 
the following form; 

r;A3l-P3 r;Ai,P4l-Pi H 

r;Ai,A3,P3^P4l-Pi T-A2,P2hA 

F; Ai, A2, A3, Pi —o P2, P3 —o P4 h A 

The remaining permutations involving non-simple —o and 
left introduction instances and follow this permutation 
closely. □ 

Instances of absorb may appear anywhere prior to the use 
of its principal formula. Without further meta-theoretical re¬ 
sults, natural semantics style derivation mimicry in Lolli will 
be modulo absorb instance placement. The following defini¬ 
tion prescribes an exact placement for all absorb instance. 

Definition 7 (Coincided Proof). A coincided proof is a 
simple proof where every absorb rule instance unbounded 
premise formula corresponding to the principal formula is 
the principal formula of a left introduction or identity rule 
instance directly above it. 

The first proof in this section is not a coincided one 
because an absorb instance is detached where the proof 
in Subsection 13.21 is a coincided one because all absorb 
instances satisfy Definition [T] 

Theorem 8 (Lolli Admits Conincided Provability). The se¬ 
quent L; A h G has a simple proof in Lolli if and only if it 
has a conincided proof in Lolli. 




T-AuPihBi r-A 2 ,P 2 \-A 


r;Ai,A2,Pi ^P2,Pi h A 
r- Ai, A2, Pi ^ P2, P3 & Pj I- A 


—o L 

kL(i 6 { 3 , 4 }) 


This non-simple uniform proof may be permuted to one with 
the following form: 


Proof. This proof is similar to the previous ones. Observe 
that all coincided proofs are simple ones, this satisfies the 
“if” direction. Now consider the “only if” direction. It is easy 
to see that absorb instances may be permuted up until they 
coincide with a left introduction or identity rule instance. 
From this, we may conclude the argument by induction on 
the measure of non-coincided absorb rule instances. □ 


r;Ai,Pil-Pi S 

r;Ai,P3&P4l-Pi T-A2,P2\-A 

r;Ai,A2.Pi^P2.P3&P4l-4l 

When the non-simple instance is a V left introduction in¬ 
stance or the instance above is a ^ the permutations differ 
only slightly. 

Suppose the non-simple instance is a ^ or left intro¬ 
duction instance. Observe, that the right premise must be¬ 
gin with a left introduction instance; A is atomic so no right 
introduction rules apply. Furthermore, observe that the left 
premise is irrelevant with respect to marking. We consider 
one case in detail where T' and S are simple proofs. 

$ s 

X r;Ai,P4hPi r;A2,P2l-A 

r;A3l-P3 r;Ai,A2,Pi ^P2,P4P41 ^ 

F; Ai, A 2 , A3,Pi —o P2,-P3 -P 4 1“ ^ 


Theorems 01 |6l and 0 can be used to yield a reduced 
proof system that admits only coincided proofs. To do so 
we first inductively define a unary predicate | |P| | where P is 
a program clause formula that captures a backward chaining 
proof search strategy. The predicate takes a program clause 
formula as an argument and returns a set of triples where the 
first, second, and third projection is a set of goal formulas, 
a multiset of goal formulas, and a program clause formula, 
respectively. Each triple represents unbounded(the first pro¬ 
jection) and bounded(the second projection) proof obliga¬ 
tions for some program clause formula. An unbounded proof 
obligation is one that must be provided strictly from the un¬ 
bounded context and a bounded proof obligation is one that 
must be proved from some portion of the bounded context. 
Let ||P|| be the smallest set such that; 

1 . (0,0 ,A)g||A|| 
















2. if (r, A, Pi & P 2 ) G ||P|| then both (r,A,Pi) G ||P|| 
and (r,A,P 2 ) G ||P|| 

3. if (r, AjVx.P) G ||P|| then, for all closed terms t, 
{T,\P[t/x])€\\P\\ 

4. if(r,A,Pi ^P2) G ||P||then (ruPi,A,P2) G ||P|| 

5. if(r,A,Pi ^P2) G ||P||then (r,AwPi,P2) G ||P|| 

Let our specification logic have all right introduction 
rules from Figure |2] and the back chaining rules given in 
Figured 

There are two forms of backward chaining in this figure 
both having as their principal formula B. Intuitively, an 
instance of both could replace a series of left introduction 
instances in a coincided proof. Using the former requires that 
the left introduction series begin (in a bottom-up reading) 
with an absorb instance. 

Theorem 9 (The Specification Logic and Lolli Equiva¬ 
lence). The sequent F; A h G has a proof in Lolli if and 
only if it has a proof in the specification logic. 


Proof In the “if” direction, due to the definition of the back¬ 
ward chaining rules, any back chaining instance in the spec¬ 
ification logic proof can be replace by some sequence of left 
introduction and absorb instances from Lolli. 

Now, consider the “only if” direction. Application of 
Theorems |4] followed by |6] and hnally [8] allows us to con¬ 
vert a Lolli proof to a coincided proof. Finally, by Dehni- 
tion|5]and the dehnition of ||P||, we may replace runs of 
left-introduction and absorb instances by one of the two in¬ 
stances of backward chaining. □ 


4. Modeling Imperative Programming 
Languages 

In this section, the imperative programming language de- 
hned in Section |2] is modeled using the specification logic 
presented in Section [3 Additionally, proof mimicry of 
derivations is demonstrated by considering the proof of a 
modeled evaluation relation and that evaluation relations 
derivation. Throughout this section and the rest of this pa¬ 
per, we refer to the imperative programming language and 
its evaluation semantics as the “object system”. 

4.1 The Model 

Our model extends the kinds of types we may have. Types 
in our model will now include a type for programs in the 
model, R and for syntax representing natural numbers, N 
(again, overloaded for use in the specification logic). 


Let fg be a function that translates programs from £ given 
in Section|2]into terms of type R in the specification logic. 


/ 

1 

if i 

G N 

{add fR(j) <R(fc)) 

if i 

= j+k 

{subtR{j) tR{k)) 

if i 

= j-k 

{gt Mj) Mk)) 

if i 

= j>k 

{get tR{j)) 

if i 

= *j 

{set tR{j) tR{k)) 

if i 

= j ^k 

{seq tR{j) tR{k)) 

if i 

= j\k 

{wh tR{j) tR{k)) 

if i 

= while j do k 


Observe that any function can be represented as set of 
tuples relating inputs to outputs. Such representations are 
often referred to as function graphs. Let tm be a recursive 
function that translates memory function graphs to multisets 
composed exclusively of occurrences of the binary predicate 
m with the type N —N —o. The first argument to 
m represents a memory location and the second argument 
represents the value stored at that location. 


tm{M) 


ih ifM = 0 

[ml v)^ if M = ((, v) U M' 

(5) 


The ternary evaluation predicate e is defined in Figure |4] 
and has the type R —N —>• o —> o. This definition mod¬ 
els the natural semantics rules given in Figure [T] Its hrst ar¬ 
gument is the program expression to be evaluated, its sec¬ 
ond argument is an element from N representing the return 
value of the input program, and its third argument is a for¬ 
mula that must be proved in the memory left behind after 
the program expression has been evaluated. In this defini¬ 
tion, explicit quantification has been removed for clarity. All 
capitalized terms occurring in the head of a program clause 
formula are universally quantified variables. All capitalized 
terms occurring exclusively in the body of a program clause 
formula are existentially quantified variables. 

The e predicate relies heavily on a continuation-passing 
style ifl^ where the universally quantihed variable C with 
type o is a continuation. The use of continuations allows 
a natural way to express the subsequent evaluation of pro¬ 
gram expression in potentially modified memory. For exam¬ 
ple, consider the program clause formula in Figure ^model¬ 
ing sequencing in the object system. As noted at the end of 
Subsection l2.ll one method for building a derivation would 
be by building derivations for the premises in a left-to-right 
order. We capture this method in this formula: the hrst pro¬ 
gram expression should be evaluated and this may result in 
modihed memory, the second program expression should be 
modeled for evaluation in this modihed memory. Therefore, 
we extend the continuation with an evaluation predicate for 
the second program expression. 

For each natural semantics style rule given in section 
12. II there is a corresponding formula in Figure |4] A simple 
heuristic was followed to model each rule: modeled premises 
of a rule “extend” the continuation, becoming the body of a 






r;0|-_Bi ... r;0|-B„r;Ail-Ci ... T; A™ h C™ r;0|-Bi ... T; 0 I-B„ T; Ai h Ci ... T; A„ h C™ 

r,B;Ai,...,A„ h A r;Ai,...,A™,BI-A 


Figure 3. In the specification logic, these back chaining rules will replaces all left-introduction rules from Figure|2] Both 
have the proviso that n,m > 0 and {{Bi,..., Bn}, {Ci,..., Cm}, A) S ||i3|| 


program clause formula. Continuation extension is done in 
left-to-right premise order. Finally, the conclusion of the rule 
will become the head of a program clause formula. 

As we did in Section |2l we will overloaded the operators 
+, —, >, and <• Again, we associate the usual subtraction 
operation on natural numbers; A^i — A 2 is 0 if is less than 
N 2 . 

Let F be a set exclusively containing the formulas from 
Figure m The evaluation relation {E,M) de¬ 

fined in Section IZTI is translated to the sequent: 

r-,tmiM)\- ietR{E) NT) ( 6 ) 

The use of T here “throws away” the memory resulting from 
this evaluation, i.e what is M' in the evaluation relation. If 
inspection of this memory is necessary, we may replace T 
with a goal formula. For example, if we wanted to inspect 
the value in memory stored at location 1 we could use the 
following sequent; 

F; tm{M) h (e t^{E) ((m 1 N 2 ) ® T)). 

In our model of the object system, memory is accessed 
and modihed using the subformula 

(m Ni N 2 ) ® {{m Ni N 3 ) —o C) 

where Ni,N 2 , and A 3 have the type N. When N 2 = N 3 
the operation is a lookup, otherwise it is an update. If M 
is memory undehned at A^i then a proof of this subformula 
must have the following structure due to the meta-theoretical 
results from Subsection l3.2l and our model. 


T; (m Wi W2) h (m Wi N2) * T; t„(M) h {m Nj_ N3) ^ C 
r; {m Ni N2) h {m Ni N2) ® ((m iVi W3) ^ C) 

Therefore, our treatment of state in our specification logic 
has an intuitive and logical reading of “remove the value N 2 
at location A^i and replace it with the value N^’. 

4.2 Proofs as Computations 

Consider the derivation given in Subsection 12.21 for the 
relation 

(1 ^ {M"{2),M"') 

where 

M" = M[2 ^ M(0)][0 M(l)] 


and M is memory dehned at 0,1 and 2. The sequent corre¬ 
sponding to this evaluation relation is 

F; (m 0 M(l)), (m 1 M(l)), (m 2 M(0)), f^(0) h 

(e (1 ^ *2) M"(0) T) 

where O is memory and for all n G N if n > 3 then 
0{n) = M{n), otherwise 0(n) is undefined. A proof of 
this sequent can be found in Figure |5] In this proof right 
introduction rules are omitted. 

A mimicry of the derivation can be seen in this proof: 
for every rule instance that occurs in the derivation there 
is a corresponding BCu instance with a principal program 
clause formula 1 that models that derivation rule instance. 

5. Reasoning about Properties of Imperative 
Programs Using the Model 

In this section, we show that our model of the object system 
can be used to prove a similar property to what was shown 
in Subsection 12.31 As it was in Subsection 12.31 the prop¬ 
erty proven is trivial. However, the goal of this exercise is to 
demonstrate that the structure of the argument on the model 
follows very closely the structure of the argument from Sub¬ 
section |23] In this sense, reasoning about properties of our 
model can be intuitive. This advantage when reasoning is a 
result of the mimicry exposed in Subsection l4.2l 

5.1 Correctness as a Property of Proofs in the Model 

We must model the Lemma[T]and Theorem|2]in the specifi¬ 
cation logic. The modeled lemma and theorem rely on the 
sum program from Equation |2] the term translation func¬ 
tion from EquationlH the memory translation function from 
Equation |5] the evaluation predicate e from Figure |4l and , 
tacitly, the relationship translation function from Equation| 6 l 
As defined in Subsection l4.ll the set F is exclusively inhab¬ 
ited by formulas from Figure @1 

Lemma [Tol encodes Lemma[T]from Subsection l2.3l in the 
specification logic. 

Lemma 10 (Total Correctness of fR(Q))- VA^i, A^ 2 , M, Mq 
ifNi,N 2 G N andM = Mo[0 N 2][1 ^ A^i] then 3 N 3 , 
A 3 G N and \- (e tmiQ) 0 (to 0 N 3 ) (g) T) and 

Ni 

N3 = N2 + 

i=0 

The value of a memory location was extracted by func¬ 
tion application in the object system. In the encoding we re¬ 
trieve the value from memory after program evaluation via a 










c 


{eN N C) 

(e El Ni (e E 2 N 2 {N 3 = Ni -f N 2 (8> C*))) 


(e (add Ei E 2 ) N 3 C) 

(e El Ni (e E 2 N 2 {N 3 = A^i — N 2 (8> C'))) 


(e (sub El E 2 ) N 3 C) 

(e El Ni (e E 2 N 2 {Ni > N 2 ® C))) 


(e (gt El E 2 ) sz C) 

(e El Ni (e E 2 N 2 {Ni <N 2 ® C))) 


(e (gt El E 2 )z C) 

(e E Ni ((to Ni N 2 ) ® ((to Ni N 2 ) ^ C))) 


(e (get E) N 2 C) 

(e El Ni (e E 2 N 2 ((to Ni N 3 ) 0 ((to Ni N 2 ) -<> C)))) 


(e (set El E 2 ) N 2 C) 

(e El Ni (e E 2 N 2 C)) 


(e (seq Ei E 2 ) N 2 C) 

(e El Ni (e E 2 N 2 (e {wh Ei E 2 ) C ))) ® Ni> z 


(e (wh El E 2 ) z C) 

(e El NiC) 0 Ni = z 


(e (wh El E 2 ) z C) 

Figure 4. The program clause formulas modeling the evaluation semantics given 

in sectionimin the specification logic. 


— Ti? 


T; (m 0 M(l)). (m 1 M(l)). (m 2 M(0)), i„(0) h ((m 2 M(0)) ® (m 2 M(0))) ^ ((m 1 M(l)) ® ((m 1 M(0)) ^ T)) 

T; (m 0 M(l)). (m 1 M(l)). (m 2 M(0)),im(O) I- (e 2 2 ((m 2 M(0)) ® ((m 2 M(0)) ^ ((m 1 M(l)) ® ((m 1 M(0)) ^ T))))) 
r;(mOM(l)).(m 1 M(l)), (m 2 M(0)), t„(0) h (e (get 2) M(0) ((m 1 M(l)) ® ((m 1 M(0)) ^ T))) ~ 

T; (m 0 M(l)). (m 1 M(l)), (m 2 M(0)), i™(0) h (e 1 1 (e (gei 2) M(0) ((m 1 M(l)) ® ((m 1 M(0)) ^ T)))) ^ 

r; (m 0 M(l)), (m 1 M(l)). (m 2 M(0)), i™(0) h (e (set 1 {get 2)) M(0) T) ^ 


BCt/ 

BCt/ 


Figure 5. A proof of the sequent F; (m 0 M(l)), (m 1 M(l)), (to 2 M(0)), tm{0) h (e (1 ■<— *2) M"{0) T). 


continuation formula. Specifically, in Lemma[Tn]that contin¬ 
uation formula is (to 0 N^) <8) T. This formula extracts only 
the value in memory at location 0. This is where we expect 
the result of program Q to be stored. 

The encoding of Theorem |2] is similar. Observe that 7Vi 
and N 2 are immediately initialized upon evaluation of P; 
this use of 7Vi and N 2 is only meant to ensure that memory 
M is defined at locations 0 and 1. 

Theoremll (Total Correctness of fR(P)). WNi, N 2 , M, Mq 
if Ni, N 2 € N and M — Mq[0 iV 2 ][l 1 —>■ Ni] then 
A ^3 G N andT;tmiM) I- (e fR(P) 0 (to 0 N 3 ) (g) T) and 

N 

^3 = E * 

i=0 

5.2 Reasoning about Proofs 

Reasoning about the model is structured according to the 
reasoning structure in Subsection l2.3l 

Proof of LemmaU^ This will be shown by induction on Ni. 
In the first case where Ni = 0, the proof in Figure |6] can be 
constructed and we can conclude that A 3 = A^ 2 - Therefore, 

Ni 

we have that N 3 = N 2 + '^ i. 

In the second case we assume that Lemma [TOl holds if 
M(l) < A^i and must show this lemma holds when M(l) = 


A^i; this is our inductive hypothesis. Proof analysis of the 
sequent 

F; U(M'), (to 1 M(l)), (to 0 M(0)) h 
(e twiiQ) 0 ((to 0 N 3 )) 

reveals that it suffices to build a proof for the sequent 

F; (to 1 (M(l) - 1)), (to 0 (M(0) + M(l))), f^(M') 
^ (e t^iQ) 0 ((toO A^ 3 )®T)). 

We omit such a proof in our discussion here; it mimics the 
derivation for the second case given in Subsection 12.31 it is 
tedious, and, its construction is completely mechanizable in 
our specification logic. The inductive hypothesis yields this 
sequent. Additionally, by the inductive hypothesis, we have 

M(l )-1 

W 4 = (M(0)-f M(l))-f E t for some A ^4 G N. This is 

i=0 

M(l) 

equivalent to N 4 = M{0) + E * ^nd thus, N 3 = N 4 . □ 

i=0 

Proof of Theoremm\ We must prove 

F; t^iM) h (e t^{P) 0 (to 0 N 3 ) 0 T) 

N 

and N 3 = E *■ Proof analysis of this sequent reveals it is 

i=0 

sufficient to prove the sequent 

F; (to 1 N), (to 0 0) h (e tK{Q) 0 ((to 0 A^ 3 )®T)) 










T; (m 0 N 2 ) h (m 0 A^a) 


BCi 


r;(mlO),i™(M')l-T 


r;|- (0 <> 1) 


T; (m 1 0), (m 0 iVa) 1“ ((m 0 Wa) ® T) 


r;|- 0 < 0 


T; (m 1 0), (m 0 Wa) h ((0 <> 1) ® ((m 0 Wa) ® T)) 


r;(m 1 0),i„(M'),(mO Wa) h (0 < 0 ® ((0 <> 1) ® ((m 0 Wa) ® T))) 


©i? 


r;(m 1 0) h (m 1 0) 


BCi, 


r-{m 1 0),t™(M'),(m0 Wa) h (e 0 0 (0 < 0 ® ((0 <> 1) ® ((m 0 Wa) ® T)))) 

T; (m 0 Wa) h ((m 1 0) ^ (e 0 0 (0 < 0 ® ((0 <> 1) ® ((m 0 iVa) ® T))))) 


BC'„ 


T; (m 1 0). (m 0 A^a) h ((m 1 0) ® ((m 1 0) ^ (e 0 0 (0 < 0 ® ((0 <> 1) ® ((m 0 N 2 ) ® T)))))) 


ffii? 


T; tmiM'), (m 1 0). (m 0 A^a) h (e 1 1 ((m 1 0) ® ((m 1 0) ^ (e 0 0 (0 < 0 ® ((0 <> 1) ® ((m 0 Wa) ® T))))))) 


BC^ 

BCu 


BCu 


T; (m 1 0). (m 0 N 2 ) h (e {get 1) 0 (e 0 0 (0 < 0 ® ((0 <> 1) ® {{m 0 N 2 ) ® T))))) 

F; (m 1 0), (m 0 N 2 ) h (e {gt [get 1) 0) 0 ((0 <> 1) ® ((m 0 N 2 ) ® T))) 

F; im(M'), (m 1 0), (m 0 N 2 ) h (e (wh {gt {get 1) 0) {seq {set 0 {add {get 0) {get 1))) {set 1 {sub {get 1) 1)))) 0 {{m 0 N 2 ) ® T)) 


BCu 


TR 

ffiiJ 


ffii? 


Figure 6. A proof of the judgment h (e t^iQ) 0 (m 0 N^) ® T) where Ni,N 2 € N, Ni = 0, 

M = Mq[0 I-© A2][1 '—>■ -^i], and M' is a partial function undehned at 0,1 and equal to Mo otherwise. 


. We have both by Lemma [TO] □ 

5.3 Extracting Properties from the Model 

We would like to extract Lemma [10] and Theorem [TT] into 
the object system. In general, doing so requires some conh- 
dence that the extracted property is meaningful in the object 
system. Such conhdence is t^ically acquired through an in¬ 
formal adequacy argument . 

The adequacy of an encoding can be shown by giving 
a bijective translation function from the object system to 
the encoding. There are complexities in providing such a 
translation for our encoding; in the object system, memory is 
a term while in the encoding memory is formula. How such 
a translation can be given is left to future work. 

6. Conclusion 

We have considered in this paper the possibility of formal¬ 
izing the process of reasoning about properties of impera¬ 
tive programs. Towards this end, we have described a spec- 
ihcation logic that can transparently model imperative pro¬ 
gramming languages with semantics dehned in an natural 
semantics style. An important aspect of this specihcation 
logic is that its proof relation can be restructured so as to 
yield derivations that closely resemble the ones that may be 
constructed in the original natural semantics style encodings 
of object systems. We have illustrated how this character¬ 
istic can be exploited in reasoning about the properties of 
the object systems. In our example, we have used an infor¬ 
mal style of reasoning over specihcation logic derivations. 
However, we believe that this reasoning process can be for¬ 
malizing and we are examining this aspect in ongoing work. 
In particular, we are exploring the idea of using a two-level 
logic approach IS El that has been successfully exploited 
in conjunction with an intuitionistic specihcation logic in the 
Abella system H. In this approach, we encode a specihca¬ 
tion logic via its derivability relation within a rich “reason¬ 
ing” logic; by using the capabilities of the reasoning logic. 


we then obtain the ability to prove properties about deriva¬ 
tions in the specihcation logic. One of our immediate goals is 
to accommodate a linear specihcation logic within the same 
reasoning logic that underlies Abella, thereby producing a 
variant of Abella that supports the development of formal 
arguments related to systems oriented around resource us¬ 
age. Once we have an implementation of such a system at 
hand, the next step would be to use it to formalize the kinds 
of arguments we have presented in this paper. 

In addition to actually implementing the ideas we have 
discussed in this paper within a formal system, we must also 
extend them so that we can reason about a larger, more re¬ 
alistic collection of programs. The imperative programs that 
we have considered in this paper use programming language 
constructs permitting non-termination and memory manipu¬ 
lations, i.e. lookup and update. In essence, we have demon¬ 
strated that our approach can be effective when reasoning 
about properties of basic imperative programs lacking point¬ 
ers (because memory values were never used in lookups) or 
dynamic allocation. Going forward, we would like to exam¬ 
ine two particular kinds of extensions to this work. 

The language chosen in this paper does not permit 
complex notions of data, dynamic memory allocation, 
or functional aspects. It does permit references but the 
imperative program analyzed does not use them. A 
more relevant language to model would be a subset 
of SML m excluding data-type dehnitions and the 
module subsystem. This subset would not make mod¬ 
eling evaluation semantics much more complex. For 
example, memory allocation can be treated naturally 
using universal quantihers. We conjecture that such 
changes will not alter the intuitive nature of reason¬ 
ing. 

The program chosen and its correctness property 
is trivial. Programs in common use among other re¬ 
searchers concerned with reasoning about imperative 



















programs are linked list (singly or doubly) manipu¬ 
lation programs and implementations of the Schorr- 
Waite algorithmill . Additionally, properties of pro¬ 
grams using references can be particularly difficult to 
reason about due to aliasing. Aliasing occurs when a 
location can be accessed in two different ways. For 
example, the program 

1 ^ 0; 2 1; 3 ^ 1; *2 ^ 4; **3 


is one where aliasing occurs; the last two program 
expressions will update and lookup, respectively, lo¬ 
cation 1. Reasoning in basic Hoare logic is unsound 
when programs containing aliasing are considered. 
Hoare logic can be extended such that reasoning about 
pointers is technically feasible but complex ! 181] . We 
have an inchoate idea that a treatment of aliasing 
should not require major changes to our specification 
logic because locations are not named. Therefore, ref¬ 
erences to aliased data is explicit. How this treatment 
will affect reasoning intuitions remains unclear. 


Finally, we must better understand the connections be¬ 
tween our approach and others such as ones using Hoare 
and separation based logic Q [HI 15, [Tp, pointer asser¬ 
tion logic lfiol] . parametric shape analvsis loi] . and aliasing 
logic i2|]. 
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